Fossil SCM

Omit the "ssl-acme" setting. Access to ".well-known" is now controlled by the --acme command-line option on "fossil http" and "fossil server". This change is required for when those commands specify a directory rather than a particular repository, since without a specific repository, there are no settings to check.

drh 2021-12-28 19:00 ssl-server

Commit 4ef059bc2a73205e19b2f3eeb04f7b4de0f0164c1d2f2bb57227c74fc202f12b

Parent 5ac65aa49650846…

3 files changed -7 +5 -31 +23 -1

~ src/db.c ~ src/http_ssl.c ~ src/main.c

M src/db.c

-7

		--- src/db.c
		+++ src/db.c
		@@ -4264,17 +4264,10 @@
4264	4264	/*
4265	4265	** SETTING: ssh-command width=40 sensitive
4266	4266	** The command used to talk to a remote machine with the "ssh://" protocol.
4267	4267	*/
4268	4268
4269		-/*
4270		-** SETTING: ssl-acme boolean default=off
4271		-** If true, allow web pages with a path of "/.well-known/..." to retrieve
4272		-** files stored in the ".well-known" subdirectory in the same directory as
4273		-** the repository. This is needed by tools such as "certbot" to verify a
4274		-** certificate signing request.
4275		-*/
4276	4269	/*
4277	4270	** SETTING: ssl-ca-location width=40 sensitive
4278	4271	** The full pathname to a file containing PEM encoded
4279	4272	** CA root certificates, or a directory of certificates
4280	4273	** with filenames formed from the certificate hashes as
4281	4274

	--- src/db.c
	+++ src/db.c
	@@ -4264,17 +4264,10 @@
4264	/*
4265	** SETTING: ssh-command width=40 sensitive
4266	** The command used to talk to a remote machine with the "ssh://" protocol.
4267	*/
4268
4269	/*
4270	** SETTING: ssl-acme boolean default=off
4271	** If true, allow web pages with a path of "/.well-known/..." to retrieve
4272	** files stored in the ".well-known" subdirectory in the same directory as
4273	** the repository. This is needed by tools such as "certbot" to verify a
4274	** certificate signing request.
4275	*/
4276	/*
4277	** SETTING: ssl-ca-location width=40 sensitive
4278	** The full pathname to a file containing PEM encoded
4279	** CA root certificates, or a directory of certificates
4280	** with filenames formed from the certificate hashes as
4281

	--- src/db.c
	+++ src/db.c
	@@ -4264,17 +4264,10 @@
4264	/*
4265	** SETTING: ssh-command width=40 sensitive
4266	** The command used to talk to a remote machine with the "ssh://" protocol.
4267	*/
4268







4269	/*
4270	** SETTING: ssl-ca-location width=40 sensitive
4271	** The full pathname to a file containing PEM encoded
4272	** CA root certificates, or a directory of certificates
4273	** with filenames formed from the certificate hashes as
4274

M src/http_ssl.c

+5 -31

		--- src/http_ssl.c
		+++ src/http_ssl.c
		@@ -856,14 +856,10 @@
856	856	** Security) configuration for Fossil. TLS (formerly SSL) is the
857	857	** encryption technology used for secure HTTPS transport.
858	858	**
859	859	** Sub-commands:
860	860	**
861		-** acme ON/OFF Activate or deactivate web access to files in
862		-** the "./well-known" directory. This must be on
863		-** to support "certbot".
864		-**
865	861	** clear-cert Remove information about server certificates.
866	862	** This is a subset of the "scrub" command.
867	863	**
868	864	** load-cert PEM-FILES... Identify server certificate files. These
869	865	** should be in the PEM format. There are
		@@ -895,22 +891,10 @@
895	891	nCmd = 4;
896	892	}else{
897	893	zCmd = g.argv[2];
898	894	nCmd = strlen(zCmd);
899	895	}
900		- if( strncmp("acme",zCmd,nCmd)==0 ){
901		- if( g.argc!=4 ) usage("acme ON/OFF");
902		- db_unprotect(PROTECT_CONFIG);
903		- if( is_truth(g.argv[3]) ){
904		- db_set_int("ssl-acme",1,0);
905		- }else if( is_false(g.argv[3]) ){
906		- db_unset("ssl-acme",0);
907		- }else{
908		- fossil_fatal("unknown argument: \"%s\"", g.argv[3]);
909		- }
910		- db_protect_pop();
911		- }else
912	896	if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
913	897	int bForce = find_option("force","f",0)!=0;
914	898	verify_all_options();
915	899	if( !bForce ){
916	900	Blob ans;
		@@ -1097,21 +1081,10 @@
1097	1081	" with servers. Few servers actually require this, so this setting\n"
1098	1082	" is usually blank.\n\n"
1099	1083	);
1100	1084	}
1101	1085
1102		- fossil_print("ssl-acme: %s\n",
1103		- db_get_boolean("ssl-acme",0) ? "on" : "off");
1104		- if( verbose ){
1105		- fossil_print("\n"
1106		- " This setting enables web access to files in the \".well-known\"\n"
1107		- " subdirectory in the same directory as the repository. Such access\n"
1108		- " is required to obtain a certificate from services like\n"
1109		- " \"Let's Encrypt\" using the tools like \"certbot\".\n\n"
1110		- );
1111		- }
1112		-
1113	1086	zValue = db_get("ssl-cert",0);
1114	1087	if( zValue ){
1115	1088	fossil_print("ssl-cert: (%d-byte PEM)\n", (int)strlen(zValue));
1116	1089	}else{
1117	1090	fossil_print("ssl-cert:\n");
		@@ -1204,13 +1177,14 @@
1204	1177	}
1205	1178
1206	1179	/*
1207	1180	** WEBPAGE: .well-known
1208	1181	**
1209		-** If the "ssl-acme" setting is true, then this page returns the content
1210		-** of files found in the ".well-known" subdirectory of the same directory
1211		-** that contains the repository file. This facilitates Automated Certificate
	1182	+** If the "--acme" option was supplied to "fossil server" or "fossil http" or
	1183	+** similar, then this page returns the content of files found in the
	1184	+** ".well-known" subdirectory of the same directory that contains the
	1185	+** repository file. This facilitates Automated Certificate
1212	1186	** Management using tools like "certbot".
1213	1187	**
1214	1188	** The content is returned directly, without any interpretation, using
1215	1189	** a generic mimetype.
1216	1190	*/
		@@ -1218,11 +1192,11 @@
1218	1192	char *zPath = 0;
1219	1193	const char *zTail = P("name");
1220	1194	Blob content;
1221	1195	int i;
1222	1196	char c;
1223		- if( !db_get_boolean("ssl-acme",0) ) goto wellknown_notfound;
	1197	+ if( !g.fAllowACME ) goto wellknown_notfound;
1224	1198	if( g.zRepositoryName==0 ) goto wellknown_notfound;
1225	1199	if( zTail==0 ) goto wellknown_notfound;
1226	1200	zPath = mprintf("%z/.well-known/%s", file_dirname(g.zRepositoryName), zTail);
1227	1201	for(i=0; (c = zTail[i])!=0; i++){
1228	1202	if( fossil_isalnum(c) ) continue;
1229	1203

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -856,14 +856,10 @@
856	** Security) configuration for Fossil. TLS (formerly SSL) is the
857	** encryption technology used for secure HTTPS transport.
858	**
859	** Sub-commands:
860	**
861	** acme ON/OFF Activate or deactivate web access to files in
862	** the "./well-known" directory. This must be on
863	** to support "certbot".
864	**
865	** clear-cert Remove information about server certificates.
866	** This is a subset of the "scrub" command.
867	**
868	** load-cert PEM-FILES... Identify server certificate files. These
869	** should be in the PEM format. There are
	@@ -895,22 +891,10 @@
895	nCmd = 4;
896	}else{
897	zCmd = g.argv[2];
898	nCmd = strlen(zCmd);
899	}
900	if( strncmp("acme",zCmd,nCmd)==0 ){
901	if( g.argc!=4 ) usage("acme ON/OFF");
902	db_unprotect(PROTECT_CONFIG);
903	if( is_truth(g.argv[3]) ){
904	db_set_int("ssl-acme",1,0);
905	}else if( is_false(g.argv[3]) ){
906	db_unset("ssl-acme",0);
907	}else{
908	fossil_fatal("unknown argument: \"%s\"", g.argv[3]);
909	}
910	db_protect_pop();
911	}else
912	if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
913	int bForce = find_option("force","f",0)!=0;
914	verify_all_options();
915	if( !bForce ){
916	Blob ans;
	@@ -1097,21 +1081,10 @@
1097	" with servers. Few servers actually require this, so this setting\n"
1098	" is usually blank.\n\n"
1099	);
1100	}
1101
1102	fossil_print("ssl-acme: %s\n",
1103	db_get_boolean("ssl-acme",0) ? "on" : "off");
1104	if( verbose ){
1105	fossil_print("\n"
1106	" This setting enables web access to files in the \".well-known\"\n"
1107	" subdirectory in the same directory as the repository. Such access\n"
1108	" is required to obtain a certificate from services like\n"
1109	" \"Let's Encrypt\" using the tools like \"certbot\".\n\n"
1110	);
1111	}
1112
1113	zValue = db_get("ssl-cert",0);
1114	if( zValue ){
1115	fossil_print("ssl-cert: (%d-byte PEM)\n", (int)strlen(zValue));
1116	}else{
1117	fossil_print("ssl-cert:\n");
	@@ -1204,13 +1177,14 @@
1204	}
1205
1206	/*
1207	** WEBPAGE: .well-known
1208	**
1209	** If the "ssl-acme" setting is true, then this page returns the content
1210	** of files found in the ".well-known" subdirectory of the same directory
1211	** that contains the repository file. This facilitates Automated Certificate

1212	** Management using tools like "certbot".
1213	**
1214	** The content is returned directly, without any interpretation, using
1215	** a generic mimetype.
1216	*/
	@@ -1218,11 +1192,11 @@
1218	char *zPath = 0;
1219	const char *zTail = P("name");
1220	Blob content;
1221	int i;
1222	char c;
1223	if( !db_get_boolean("ssl-acme",0) ) goto wellknown_notfound;
1224	if( g.zRepositoryName==0 ) goto wellknown_notfound;
1225	if( zTail==0 ) goto wellknown_notfound;
1226	zPath = mprintf("%z/.well-known/%s", file_dirname(g.zRepositoryName), zTail);
1227	for(i=0; (c = zTail[i])!=0; i++){
1228	if( fossil_isalnum(c) ) continue;
1229

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -856,14 +856,10 @@
856	** Security) configuration for Fossil. TLS (formerly SSL) is the
857	** encryption technology used for secure HTTPS transport.
858	**
859	** Sub-commands:
860	**




861	** clear-cert Remove information about server certificates.
862	** This is a subset of the "scrub" command.
863	**
864	** load-cert PEM-FILES... Identify server certificate files. These
865	** should be in the PEM format. There are
	@@ -895,22 +891,10 @@
891	nCmd = 4;
892	}else{
893	zCmd = g.argv[2];
894	nCmd = strlen(zCmd);
895	}












896	if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
897	int bForce = find_option("force","f",0)!=0;
898	verify_all_options();
899	if( !bForce ){
900	Blob ans;
	@@ -1097,21 +1081,10 @@
1081	" with servers. Few servers actually require this, so this setting\n"
1082	" is usually blank.\n\n"
1083	);
1084	}
1085











1086	zValue = db_get("ssl-cert",0);
1087	if( zValue ){
1088	fossil_print("ssl-cert: (%d-byte PEM)\n", (int)strlen(zValue));
1089	}else{
1090	fossil_print("ssl-cert:\n");
	@@ -1204,13 +1177,14 @@
1177	}
1178
1179	/*
1180	** WEBPAGE: .well-known
1181	**
1182	** If the "--acme" option was supplied to "fossil server" or "fossil http" or
1183	** similar, then this page returns the content of files found in the
1184	** ".well-known" subdirectory of the same directory that contains the
1185	** repository file. This facilitates Automated Certificate
1186	** Management using tools like "certbot".
1187	**
1188	** The content is returned directly, without any interpretation, using
1189	** a generic mimetype.
1190	*/
	@@ -1218,11 +1192,11 @@
1192	char *zPath = 0;
1193	const char *zTail = P("name");
1194	Blob content;
1195	int i;
1196	char c;
1197	if( !g.fAllowACME ) goto wellknown_notfound;
1198	if( g.zRepositoryName==0 ) goto wellknown_notfound;
1199	if( zTail==0 ) goto wellknown_notfound;
1200	zPath = mprintf("%z/.well-known/%s", file_dirname(g.zRepositoryName), zTail);
1201	for(i=0; (c = zTail[i])!=0; i++){
1202	if( fossil_isalnum(c) ) continue;
1203

M src/main.c

+23 -1

		--- src/main.c
		+++ src/main.c
		@@ -166,10 +166,11 @@
166	166	int fCgiTrace; /* True if --cgitrace is enabled */
167	167	int fQuiet; /* True if -quiet flag is present */
168	168	int fJail; /* True if running with a chroot jail */
169	169	int fHttpTrace; /* Trace outbound HTTP requests */
170	170	int fAnyTrace; /* Any kind of tracing */
	171	+ int fAllowACME; /* Deliver files from .well-known */
171	172	char zHttpAuth; / HTTP Authorization user:pass information */
172	173	int fSystemTrace; /* Trace calls to fossil_system(), --systemtrace */
173	174	int fSshTrace; /* Trace the SSH setup traffic */
174	175	int fSshClient; /* HTTP client flags for SSH client */
175	176	int fNoHttpCompress; /* Do not compress HTTP traffic (for debugging) */
		@@ -1700,11 +1701,13 @@
1700	1701	if( c=='_' ) continue;
1701	1702	if( c=='-' && zRepo[j-1]!='/' ) continue;
1702	1703	if( c=='.' && fossil_isalnum(zRepo[j-1]) && fossil_isalnum(zRepo[j+1])){
1703	1704	continue;
1704	1705	}
1705		- if( c=='.' && strncmp(&zRepo[j-1],"/.well-known/",12)==0 && j==nBase+1){
	1706	+ if( c=='.' && g.fAllowACME && j==nBase+1
	1707	+ && strncmp(&zRepo[j-1],"/.well-known/",12)==0
	1708	+ ){
1706	1709	/* We allow .well-known as the top-level directory for ACME */
1707	1710	continue;
1708	1711	}
1709	1712	/* If we reach this point, it means that the request URI contains
1710	1713	** an illegal character or character combination. Provoke a
		@@ -1774,10 +1777,25 @@
1774	1777	cgi_set_content_type(zMimetype);
1775	1778	cgi_set_content(&content);
1776	1779	cgi_reply();
1777	1780	return;
1778	1781	}
	1782	+
	1783	+ /* In support of the ACME protocol, files under the .well-known/
	1784	+ ** directory is always accepted.
	1785	+ */
	1786	+ if( g.fAllowACME
	1787	+ && strncmp(&zRepo[nBase],"/.well-known/",12)==0
	1788	+ && file_isfile(zCleanRepo, ExtFILE)
	1789	+ ){
	1790	+ Blob content;
	1791	+ blob_read_from_file(&content, file_cleanup_fullpath(zRepo), ExtFILE);
	1792	+ cgi_set_content_type(mimetype_from_name(zRepo));
	1793	+ cgi_set_content(&content);
	1794	+ cgi_reply();
	1795	+ return;
	1796	+ }
1779	1797	zRepo[j] = '.';
1780	1798	}
1781	1799
1782	1800	/* If we reach this point, it means that the search of the PATH_INFO
1783	1801	** string is finished. Either zRepo contains the name of the
		@@ -2614,10 +2632,11 @@
2614	2632	** If the --localauth option is given, then automatic login is performed
2615	2633	** for requests coming from localhost, if the "localauth" setting is not
2616	2634	** enabled.
2617	2635	**
2618	2636	** Options:
	2637	+** --acme Deliver files from the ".well-known" subdirectory
2619	2638	** --baseurl URL base URL (useful with reverse proxies)
2620	2639	** --chroot DIR Use directory for chroot instead of repository path.
2621	2640	** --ckout-alias N Treat URIs of the form /doc/N/... as if they were
2622	2641	** /doc/ckout/...
2623	2642	** --extroot DIR document root for the /ext extension mechanism
		@@ -2728,10 +2747,11 @@
2728	2747	g.zMainMenuFile = find_option("mainmenu",0,1);
2729	2748	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
2730	2749	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
2731	2750	}
2732	2751	decode_ssl_options();
	2752	+ if( find_option("acme",0,0)!=0 ) g.fAllowACME = 1;
2733	2753
2734	2754	/* We should be done with options.. */
2735	2755	verify_all_options();
2736	2756	if( g.httpUseSSL ){
2737	2757	if( useSCGI ){
		@@ -2944,10 +2964,11 @@
2944	2964	** --localauth option is present and the "localauth" setting is off and the
2945	2965	** connection is from localhost. The "ui" command also enables --repolist
2946	2966	** by default.
2947	2967	**
2948	2968	** Options:
	2969	+** --acme Deliver files from the ".well-known" subdirectory.
2949	2970	** --baseurl URL Use URL as the base (useful for reverse proxies)
2950	2971	** --chroot DIR Use directory for chroot instead of repository path.
2951	2972	** --ckout-alias NAME Treat URIs of the form /doc/NAME/... as if they were
2952	2973	** /doc/ckout/...
2953	2974	** --create Create a new REPOSITORY if it does not already exist
		@@ -3077,10 +3098,11 @@
3077	3098	g.zCkoutAlias = find_option("ckout-alias",0,1);
3078	3099	g.zMainMenuFile = find_option("mainmenu",0,1);
3079	3100	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
3080	3101	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
3081	3102	}
	3103	+ if( find_option("acme",0,0)!=0 ) g.fAllowACME = 1;
3082	3104
3083	3105	/* Undocumented option: --debug-nofork
3084	3106	**
3085	3107	** This sets the HTTP_SERVER_NOFORK flag, which causes only the
3086	3108	** very first incoming TCP/IP connection to be processed. Used for
3087	3109

	--- src/main.c
	+++ src/main.c
	@@ -166,10 +166,11 @@
166	int fCgiTrace; /* True if --cgitrace is enabled */
167	int fQuiet; /* True if -quiet flag is present */
168	int fJail; /* True if running with a chroot jail */
169	int fHttpTrace; /* Trace outbound HTTP requests */
170	int fAnyTrace; /* Any kind of tracing */

171	char zHttpAuth; / HTTP Authorization user:pass information */
172	int fSystemTrace; /* Trace calls to fossil_system(), --systemtrace */
173	int fSshTrace; /* Trace the SSH setup traffic */
174	int fSshClient; /* HTTP client flags for SSH client */
175	int fNoHttpCompress; /* Do not compress HTTP traffic (for debugging) */
	@@ -1700,11 +1701,13 @@
1700	if( c=='_' ) continue;
1701	if( c=='-' && zRepo[j-1]!='/' ) continue;
1702	if( c=='.' && fossil_isalnum(zRepo[j-1]) && fossil_isalnum(zRepo[j+1])){
1703	continue;
1704	}
1705	if( c=='.' && strncmp(&zRepo[j-1],"/.well-known/",12)==0 && j==nBase+1){


1706	/* We allow .well-known as the top-level directory for ACME */
1707	continue;
1708	}
1709	/* If we reach this point, it means that the request URI contains
1710	** an illegal character or character combination. Provoke a
	@@ -1774,10 +1777,25 @@
1774	cgi_set_content_type(zMimetype);
1775	cgi_set_content(&content);
1776	cgi_reply();
1777	return;
1778	}















1779	zRepo[j] = '.';
1780	}
1781
1782	/* If we reach this point, it means that the search of the PATH_INFO
1783	** string is finished. Either zRepo contains the name of the
	@@ -2614,10 +2632,11 @@
2614	** If the --localauth option is given, then automatic login is performed
2615	** for requests coming from localhost, if the "localauth" setting is not
2616	** enabled.
2617	**
2618	** Options:

2619	** --baseurl URL base URL (useful with reverse proxies)
2620	** --chroot DIR Use directory for chroot instead of repository path.
2621	** --ckout-alias N Treat URIs of the form /doc/N/... as if they were
2622	** /doc/ckout/...
2623	** --extroot DIR document root for the /ext extension mechanism
	@@ -2728,10 +2747,11 @@
2728	g.zMainMenuFile = find_option("mainmenu",0,1);
2729	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
2730	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
2731	}
2732	decode_ssl_options();

2733
2734	/* We should be done with options.. */
2735	verify_all_options();
2736	if( g.httpUseSSL ){
2737	if( useSCGI ){
	@@ -2944,10 +2964,11 @@
2944	** --localauth option is present and the "localauth" setting is off and the
2945	** connection is from localhost. The "ui" command also enables --repolist
2946	** by default.
2947	**
2948	** Options:

2949	** --baseurl URL Use URL as the base (useful for reverse proxies)
2950	** --chroot DIR Use directory for chroot instead of repository path.
2951	** --ckout-alias NAME Treat URIs of the form /doc/NAME/... as if they were
2952	** /doc/ckout/...
2953	** --create Create a new REPOSITORY if it does not already exist
	@@ -3077,10 +3098,11 @@
3077	g.zCkoutAlias = find_option("ckout-alias",0,1);
3078	g.zMainMenuFile = find_option("mainmenu",0,1);
3079	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
3080	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
3081	}

3082
3083	/* Undocumented option: --debug-nofork
3084	**
3085	** This sets the HTTP_SERVER_NOFORK flag, which causes only the
3086	** very first incoming TCP/IP connection to be processed. Used for
3087

	--- src/main.c
	+++ src/main.c
	@@ -166,10 +166,11 @@
166	int fCgiTrace; /* True if --cgitrace is enabled */
167	int fQuiet; /* True if -quiet flag is present */
168	int fJail; /* True if running with a chroot jail */
169	int fHttpTrace; /* Trace outbound HTTP requests */
170	int fAnyTrace; /* Any kind of tracing */
171	int fAllowACME; /* Deliver files from .well-known */
172	char zHttpAuth; / HTTP Authorization user:pass information */
173	int fSystemTrace; /* Trace calls to fossil_system(), --systemtrace */
174	int fSshTrace; /* Trace the SSH setup traffic */
175	int fSshClient; /* HTTP client flags for SSH client */
176	int fNoHttpCompress; /* Do not compress HTTP traffic (for debugging) */
	@@ -1700,11 +1701,13 @@
1701	if( c=='_' ) continue;
1702	if( c=='-' && zRepo[j-1]!='/' ) continue;
1703	if( c=='.' && fossil_isalnum(zRepo[j-1]) && fossil_isalnum(zRepo[j+1])){
1704	continue;
1705	}
1706	if( c=='.' && g.fAllowACME && j==nBase+1
1707	&& strncmp(&zRepo[j-1],"/.well-known/",12)==0
1708	){
1709	/* We allow .well-known as the top-level directory for ACME */
1710	continue;
1711	}
1712	/* If we reach this point, it means that the request URI contains
1713	** an illegal character or character combination. Provoke a
	@@ -1774,10 +1777,25 @@
1777	cgi_set_content_type(zMimetype);
1778	cgi_set_content(&content);
1779	cgi_reply();
1780	return;
1781	}
1782
1783	/* In support of the ACME protocol, files under the .well-known/
1784	** directory is always accepted.
1785	*/
1786	if( g.fAllowACME
1787	&& strncmp(&zRepo[nBase],"/.well-known/",12)==0
1788	&& file_isfile(zCleanRepo, ExtFILE)
1789	){
1790	Blob content;
1791	blob_read_from_file(&content, file_cleanup_fullpath(zRepo), ExtFILE);
1792	cgi_set_content_type(mimetype_from_name(zRepo));
1793	cgi_set_content(&content);
1794	cgi_reply();
1795	return;
1796	}
1797	zRepo[j] = '.';
1798	}
1799
1800	/* If we reach this point, it means that the search of the PATH_INFO
1801	** string is finished. Either zRepo contains the name of the
	@@ -2614,10 +2632,11 @@
2632	** If the --localauth option is given, then automatic login is performed
2633	** for requests coming from localhost, if the "localauth" setting is not
2634	** enabled.
2635	**
2636	** Options:
2637	** --acme Deliver files from the ".well-known" subdirectory
2638	** --baseurl URL base URL (useful with reverse proxies)
2639	** --chroot DIR Use directory for chroot instead of repository path.
2640	** --ckout-alias N Treat URIs of the form /doc/N/... as if they were
2641	** /doc/ckout/...
2642	** --extroot DIR document root for the /ext extension mechanism
	@@ -2728,10 +2747,11 @@
2747	g.zMainMenuFile = find_option("mainmenu",0,1);
2748	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
2749	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
2750	}
2751	decode_ssl_options();
2752	if( find_option("acme",0,0)!=0 ) g.fAllowACME = 1;
2753
2754	/* We should be done with options.. */
2755	verify_all_options();
2756	if( g.httpUseSSL ){
2757	if( useSCGI ){
	@@ -2944,10 +2964,11 @@
2964	** --localauth option is present and the "localauth" setting is off and the
2965	** connection is from localhost. The "ui" command also enables --repolist
2966	** by default.
2967	**
2968	** Options:
2969	** --acme Deliver files from the ".well-known" subdirectory.
2970	** --baseurl URL Use URL as the base (useful for reverse proxies)
2971	** --chroot DIR Use directory for chroot instead of repository path.
2972	** --ckout-alias NAME Treat URIs of the form /doc/NAME/... as if they were
2973	** /doc/ckout/...
2974	** --create Create a new REPOSITORY if it does not already exist
	@@ -3077,10 +3098,11 @@
3098	g.zCkoutAlias = find_option("ckout-alias",0,1);
3099	g.zMainMenuFile = find_option("mainmenu",0,1);
3100	if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
3101	fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
3102	}
3103	if( find_option("acme",0,0)!=0 ) g.fAllowACME = 1;
3104
3105	/* Undocumented option: --debug-nofork
3106	**
3107	** This sets the HTTP_SERVER_NOFORK flag, which causes only the
3108	** very first incoming TCP/IP connection to be processed. Used for
3109

Fossil SCM

Keyboard Shortcuts